View
19
Download
0
Category
Preview:
Citation preview
Digicomp Microsoft Evolution Day 2015 1
MIM 2016
Oliver Ryf
Partner:
2Digicomp Microsoft Evolution Day 2015
Agenda
Begrüssung
Vorstellung Referent
PowerShell Desired State Configuration
F&A
Weiterführende Kurse
3Digicomp Microsoft Evolution Day 2015
Vorstellung Referent
Seit 1991 IT-Trainer
1995 MCSE und MCT
Seit 2000 diverse Projekte im Bereich Windows/Office Migrationen, Active Directory, Infratruktur, Hyper-V und Azure Cloud
Seit 2006 Trainer bei Digicomp
Seit 2014 Principal Consultant und Cloud Archiect bei UP-Great AG Fehraltorf
CalibriDigicomp Microsoft Evolution Day 2015
IAM – Eine umfassende Lösung
• Active Directory ist die primäre Authentication Quelle in den Firmen
• Active Directory Federation Services integriert AD mitAzure AD und MFA
• Web Application Proxy arlaubt die Edge pre-authentication
• Ermöglicht Conditional Access für Ressourcen
Identity Manager
• Bietet Self-Service Identity management
• Automatisiert das Lifecycle Management überheterogene Plattformen
• Erlaubt das definieren von umfangreichen Policies zum erzwingen von Unternehmensrichtlinienfür Identity und Access
Azure Active Directory
• Cloud directory
• Cloud Authentication
• Azure Active Directory Premium enthält Multi-Factor Authentication, und Server und Benutzer CALs für Identity Manager
Windows Server
Microsoft Identity Manager
CalibriDigicomp Microsoft Evolution Day 2015
MIM für durchgängige IAM Policies
On-premises and private cloud
Azure Active Directory
Azure ADApp Proxy
Your apps
CalibriDigicomp Microsoft Evolution Day 2015
Identity Stores
Policies and
Workflow
Clients
WindowsOutlookPortal Custom
Identity Manager Capabilities
Cloud Services Databases Directories Applications
Identity Manager Platform Scenarios
Request Permission AuthN AuthZ ActionService DB
Identity
Synchronization
Role
ManagementCertificate
Management
Group
Management
Password
Reset
7Digicomp Microsoft Evolution Day 2015
MIM 2016
Up-To-Date
Updated platform support
Certificate Management updated
Self-service account unlock hinzugefügt!!
Privileged Access Mgmt
Improved protection of admins
Just In Time (JIT) admin access
Auditing for alerts and reports
8Digicomp Microsoft Evolution Day 2015
MIM 2016
Hybrid IAM
Self-service password reset with Azure MFA as a gate
Hybrid reporting
AAD and Office365 integration
Privileged Access Management
10Digicomp Microsoft Evolution Day 2015
Privileged Accounts – Das Risiko
Research & Preparation
First WorkstationCompromised
24-48 Hours
Domain AdminCompromised
Data Exfiltration (Attacker Undetected)
11-14 months
Attack Discovered
Die Lösung: Just-in-Time Admin Access
Prepare
Which users have privileged access rights based on AD groups?
Protect
Step-up lifecycle and AuthNprotection of privileged
user accounts
Operate
Users can request Just In Time (JIT) and Just Enough
administrator access privileges
Monitor
Additional auditing, alerts & reports, of privileged
access requests
12Digicomp Microsoft Evolution Day 2015
Just-in-Time Solution Focus
Domain account Authentication and Authorization
Managing privileged access with:
Step-up and Proof-up
Isolation/scoping of privileges
Additional logging
Customizable workflow
CalibriDigicomp Microsoft Evolution Day 2015
JIT Solution Architecture
Existing
AD Forest(s)WS 2003 or later
Privileged Access Management
Existing FIM
Optionaltrust for admin access
Microsoft Identity Manager
Configured for PAM
AD DS
vNext
Existing Appsaccess requests
User
existing trust
User: PRIV\JenAdmin
Groups:
CORP\Resource Admins
Refresh after: 60 minutes
“Jen”
Group “Resource Admins”
Group: Resource Admins
Domain: CORP
Candidate: Jen
Time based memberships
User “JenAdmin”
CalibriDigicomp Microsoft Evolution Day 2015
Funktionelle Architecture
MIM Service
AD DS
vNext
AuthZ WF Action WFMPR
New-PAMRequest
MIM Service
DB
UserGroupPAM Role
Event Log
PAM Request
Microsoft Identity Manager
PowerShell
runaswhoami /groups
15Digicomp Microsoft Evolution Day 2015
PAM Request
PowerShell
New-PAMRequest
REST API (Webseiten)
16Digicomp Microsoft Evolution Day 2015
17Digicomp Microsoft Evolution Day 2015
18Digicomp Microsoft Evolution Day 2015
19Digicomp Microsoft Evolution Day 2015
20Digicomp Microsoft Evolution Day 2015
21Digicomp Microsoft Evolution Day 2015
CalibriDigicomp Microsoft Evolution Day 2015
Hybrid Identity Management
24Digicomp Microsoft Evolution Day 2015
Hybrid IAM with MIM vNext
Hybrid MIM Reporting
Hybrid Sync
SSPR mit Azure Phone Authentication
O365 Integration
25Digicomp Microsoft Evolution Day 2015
IAM Reporting & Auditing: Status
FIM activity reports delivered via System Center Service Manager
FIM 2010 R2
26Digicomp Microsoft Evolution Day 2015
IAM Reporting & Auditing: Current State
Azure AD activity Reports aus dem Azure Portal
Azure AD Reports
CalibriDigicomp Microsoft Evolution Day 2015
Hybrid Reporting
Adding scenario-based Reporting
Reports can ship withAzure portal updates
Easier to deploy usingcloud storage
Easier to generate custom reports
Reports show on FIM Service DB changes
Reports ship as part of FIM major releases
May require separate SQL and SCDW hosts
Custom reports requires SCDW skills
CalibriDigicomp Microsoft Evolution Day 2015
Hybrid Reporting: Unified Experience
CalibriDigicomp Microsoft Evolution Day 2015
Provisioning and Synchronization
HR system
MIM
Manager
Active Directory
Exchange
LDAP
Oracle DB
Finance
New employeeDeparting employee
CalibriDigicomp Microsoft Evolution Day 2015
Provisioning and Synchronization
HR system
MIM
Manager
Windows ServerActive Directory
LDAP
Oracle DB
Finance
ExchangeOnline
SharePointOnline
Azure
SaaS app
Microsoft AzureActive DirectoryAzure AD Sync
CalibriDigicomp Microsoft Evolution Day 2015
RoadmapAktuellVorher
AAD und MIM Sync
SSPR with MFA Gate
CalibriDigicomp Microsoft Evolution Day 2015
SSPR with Phone AuthN
Neue “Phone Gate” activity fürdie Implementierung einer
zusätzlichenTelefon authN alsTeil eines SSPR Workflows
MIM Modernization
CalibriDigicomp Microsoft Evolution Day 2015
MIM 2016: Moderne Funktionalitäten
Self-service Account Unlock
• Mit BYOD Geräten kann es öfterspassieren, dass Accounts nach einemPasswortwechsel gesperrt werden
• Aktivieren des Self Service Unlocking Accounts (ohne Password Reset)
Certificate Management modernization
• Modern App für self-service
• New REST API
• OAuth 2 enabled
• CM server support for AD multi-forests
Unterstützung “aktueller” Plattformen
• Windows Server 2012 R2 and later, SQL Server 2014, SharePoint 2013, Exchange 2013, Visual Studio 2013, ...
CalibriDigicomp Microsoft Evolution Day 2015
Certificate Management mit einer Windows Store App
37Digicomp Microsoft Evolution Day 2015
F&A
38Digicomp Microsoft Evolution Day 2015
Weiterführende Kurse
Firmenspezifische Workshops
Recommended